Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/15/2017
02:30 PM
Hector Menendez
Hector Menendez
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Trust Begins With Layer 1 Encryption

In today's distributed environment, cloud and communication service providers can play a key role in providing organizations with a scalable and secure platform for the connection of everything to everything. Here's how.

At which network layer should we handle security of in-flight data? Some argue the application layer is most appropriate because this is where the user’s personal data, semantics and security requirements reside. Others argue that security should start in the network and physical layers, protecting even the protocol information involved in moving data — implementing encryption as deeply as possible, even at Layer 1. This is particularly true for Internet of Things (IoT) traffic where data generated is never at rest.

Depending on security requirements, both are correct. Security at different levels can be complementary and collectively enhance security. Cybercrime is now costing companies over $400 billion annually. According to Gemalto’s breach level index, since 2013, security breaches have resulted in the loss or theft of an estimated 5.9 billion data records from enterprises worldwide. That’s about 47 records every second. Of course, if records are encrypted, stolen information is useless. But that is only happening 4%  of the time! So, while application layer security is a great idea, other layers of protection are also needed.

Regulated industries, such as healthcare and financial services, suffer the most costly data breaches due to fines and a higher-than-average rate of lost business. Last year, the average cost per incident was $4 million, according to a 2016 Poneman Institute study. Organizations recognize that the longer it takes to detect and contain a data breach the more costly it becomes to resolve.

Enterprises have traditionally relied on perimeter security in the form of firewalls, DMZs and other technologies. However, as they turn increasingly to cloud-based enterprise services, perimeter security is no longer sufficient. Their enterprise-critical data is distributed far beyond the organization’s boundaries. But doesn’t this evolution from enterprise perimeter security to wide-area networking and cloud services increase the degree of risk for enterprises?

Contrary to some opinion, this move to the cloud is likely to make most enterprises more secure. It is important to remember that Layer 1 security starts with ensuring the physical security of all the various network elements and facilities. Communication Service Providers (CSPs) and cloud providers are better equipped than most enterprises to ensure the physical security of their infrastructure, yielding an improvement to overall security. CSP network elements, for instance, are more tamper-resistant and difficult to deactivate or bypass than their enterprise counterparts. Also, the CSP can ensure the availability of network services with a robust assurance function that can provide the enterprise customer with much greater security than the typical enterprise network provides. It is a similar situation in cloud data centers.

With better physical security for network infrastructure and higher availability and uptime for network resources, the next level of protection is through network traffic encryption. Best practices call for a holistic security approach that includes a multi-layered, “defense-in-depth” strategy.

Encryption is costly at higher network layers. Layer 1 encryption reduces the cost per encrypted bit by integrating the encryption function into the transport system. Encryption at higher layers also adds significant overhead and data stream latency. In contrast, Layer 1 encryption adds almost no additional overhead or latency to the transport process. Hardware-based Layer 1 encryption solutions enable very high bandwidth with encryption of 10 or 100 Gbps wire speeds and higher. This is especially critical for services that require real-time traffic management to uphold service level agreement (SLA) requirements for application disk access and rich content delivery such as video and voice calls.

Of course, the encryption algorithm must rely on strong, quality keys. For “top secret” data requiring 256-bit strength, a strong AES-256 algorithm with 256-bit key size should be used. And the keys should come from a key generator that produces a truly random, quality key to match the strength of the encryption algorithm.

Key management, exchange and authentication can be labor-intensive and cumbersome when there are many separate encryption devices and encryption streams to manage. By centralizing key management, the CSP can ensure a single point of trust and consistent policy enforcement. It also streamlines administration by allowing updates to be made once, and cascaded automatically across the network. This enables single-point key revocation and one-point-to-force, multi-tenant synchronized key rotations.

Enterprises should feel more confident about distributing their applications across the wide area and utilizing cloud-based services. The new distributed, cloud model is changing many aspects of our digital world, perhaps none more so than the key role that CSPs play to provide a global, scalable and secure platform for the connection of everything to everything. Layer 1 security is the foundation for confidence and trust in securing data while in-flight.

Related Content:

 

Hector is focused on optical networking solutions. In this role, he develops and markets service provider solutions on topics including mobile fronthaul, mobile backhaul, and secure optical transport. Hector has over 25 years of telecommunications experience and has held a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
10 Notable Security Acquisitions of 2019 (So Far)
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12865
PUBLISHED: 2019-06-17
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
CVE-2017-10720
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed o...
CVE-2017-10721
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car ga...
CVE-2017-10722
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is install...
CVE-2017-10723
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This device acts as an Endoscope camera that allows it...